Another day, another installment in the LockBit saga. The latest development in the never-ending story of cyber-criminal gangs versus law enforcement agencies is nearly worthy of its own TV series. But what does it mean for you—the person who must defend your organization and maintain its ability to operate amidst all the chaos?
Related reading: Close AD security gaps
The gang behind the curtain
The recent exchange of public statements between LockBit and the UK’s National Crime Agency (NCA) and its partners—including the US Department of Justice and Federal Bureau of Investigations—appears to be something of a mind game. Still, this evolving situation gives us another peek behind the curtain of cyber-criminal activity.
Cyber criminals operate like any other organized operation. They have vendors and supply chains, like any typical company. And as in any business transaction, these relationships rely on a certain amount of trust. Of course, in the criminal world, trust is an expensive currency.
This warped sense of corporate pride is reflected in the statement from LockBitSupp, the person allegedly behind the LockBit operation.
I find the emphasis interesting: “… I am on the right track,” LockBitSupp claims, and “…no hack … can stop a business from thriving.” The writer claims to be in the business of “pentest with postpaid,” which makes LockBit’s criminal ransomware endeavors sound almost legit.
This emphasizes that cybercrime is a well-organized operation. As such, we need a well-organized defense to tackle it.
A never-ending battle
The fight between defenders and adversaries is an around-the-clock battle. As we’ve seen in previous cases, it was only a matter of time before the group resurfaced in its entirety with a new name or its members joined other ransomware groups. It’s just that few cybersecurity pundits thought they would reemerge so soon.
Make no mistake: The ransomware scourge of the past five years has captured the attention of CISA, NCA, Interpol, FBI, and other global law enforcement agencies. They fight daily to disrupt the unlawful actions of LockBit, BlackBasta, CLOP, ALPHV, and numerous other gangs continues in earnest.
Yet LockBit is proving to be a double-headed snake. Although last week’s global seizure of its assets was a major achievement by law enforcement, it didn’t take long for the group to resume operations. With more than $100M stolen (according to law enforcement), the group has the means and the motivation to “get back to business” as soon as possible. It certainly wasn’t going to quietly fade away after being embarrassed by a contingent of global law enforcement agencies.
As always, we remind our customers to maintain an “assume breach” mindset. Cybercriminal activity doesn’t stop, nor does it slow down. You can never let down your guard against threat actors. Building operational resiliency, including a backup and recovery plan that prioritizes critical assets like the identity infrastructure, is vital to protecting your employees, customers, and partners.
So, what can you do?
Most organizations know that it doesn’t pay to pay ransoms. But to be able to make a choice, you need a plan that gives you other options. Building organizational and operational resiliency into your digital ecosystem enables you to fight back and removes the reward that criminal ransomware gangs depend on. Here’s what building resiliency looks like:
- Immediately identify and assess your critical systems. Include infrastructure such as Active Directory (AD) and other identity repositories; 9 out of 10 cyberattacks target AD.
- Operate with an “assume breach” mindset. If you find one compromised system or one malicious activity (such as password interception), assume there are others that you have not discovered.
- Monitor for unauthorized changes in your identity infrastructure (for example, AD, Entra ID, Okta).
- Maintain real-time visibility into any changes to elevated network accounts and groups.
- Continuously back up your identity systems with a cyber-first approach in mind, enabling speedy, malware-free recovery.
- Maintain a copy of any compromised environment so that you can perform a full forensics investigation.
The ransomware scourge needn’t cripple organizations. With proper planning and an organizational approach to securing critical assets, you can watch the drama unfold rather than get caught up in it.